[sf-lug] VPS question: accessible by root user on physical host?

[Rick Moen]

Quoting Jason Turner (jturner at nonzerosums.org):

> Thanks for the info, Rick.  Yep, I realize some element of trust will  
> always be involved if you don't have physical security.

Oddly enough, you end up having some element of trust even if you _do_
have physical security.  

Let's say you put your machines in a colo.  You now have whatever
physical security money can buy, which means the colo will protect your
computing up to the limits of their business self-interest.  Someone
wanting to snoop need not suborn the entire colo organisation:  One of
your competitors, or a private investigator, or a criminal group, might
just bribe or extort a janitor.  Various Feds, if they wanted to pry,
would generally serve a National Security Letter on the CEO.  In any of
those cases, you have hidden limits on the physical security you thought
you enjoyed.

Instead, you keep your machines behind locked doors at your business.  
Now, you have a slightly different (but overlapping) threat model to
your physical security.  (Your business has a janitor, too.  ;->  )

Finally, you can run the machines at your house -- but how physically
secure is your house, really?  Do you really trust young Mordred?  He's
a teenager now, and will probably give even your '70 Château Haut Brion
to anyone willing to give him enough quarters for an afternoon of video
gaming.  If the cops, or a private eye, climbed in over the geraniums
while you were off to Poughkeepsie, would you even _know_?[1]

So, you always end up having to trust some number of people, to some
degree, in some particulars -- regardless of physical-security
precautions.  The main point is to understand the risk model of each
option.

[1] The concepts of "tamper-evident", "intrusion-evident", and "IDS" are
valuable, here.  High confidence of being able to detect unauthorised 
access/use is perhaps a smarter goal then its prevention -- detection
being easier to assure.